Rooting A Server Without Any Root Kernel Exploits

Cron Jobs are some Tasks that are set to be Executed at a specific time.
If the Root user has created a Custom Script used by Cron, and we can
Write on this File, we can send a “Fake” Error Message and the Root user
will probably type in his password.

First, check out if there are any Cron Job Tasks:

crontab -l

If you see any Custom Script, we must Check out if we can Write on it.
Let’s say we got a Custom script here: /bin/cronscriptTo check if we can Write a File, type:

stat /bin/cronscript

(If you get something like: “-rwxrwxrwx” in the output, you can edit the File!)

Let’s edit the file and send a Fake Error Message.Make a Copy of the Original Script to /bin/cronscript.bak:

You should just Replace the Underlined with your E-Mail and the Name of the Script!
After you save the File, type: chmod +x cronscriptto set it as Executable!This script will:
- Send a Fake Error Message
- Request for the Root’s Password
- Send to your E-Mail Address the Password (make sure that there is the “mail” command at the /bin)
- Restore the Original File
When the Script gets Executed, the Root User will Enter his Password and it will be send to you!It would be better if you had some knowledge on Bash Programming…

2 – Enumerating all SUID Files

An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it.What does this mean for you: You can Escalate Priviliges in this way, if it is in an Important Directory.
As before, you can Social-Engineer a Privileged User.
To find all SUID Files, type:

find / -user root -perm -4000 -print

This will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges!.